Senior Lead - Security & Compliance Officer

Job Summary 

This is a senior position responsible for supporting the CISO in all aspects of the organization's information security program. This role provides strategic oversight, operational leadership, and technical authority across the full spectrum of cybersecurity - from governance and risk management to threat intelligence, incident response, and security architecture. This role will  serve as a key liaison between the security function and business leadership, ensuring that cyber risk is effectively communicated, managed, and embedded into the organization's culture and decision-making frameworks.This role involves conducting in-depth security research, guiding secure development, and promoting security best practices. Additionally, this role will provide an opportunity for engagement with our core product security efforts and you will play a critical role protecting and defending both WSO2 and our product suite. Our global security professionals support WSO2 customers (both internal and external) and partners across all regions. We act as trusted advisors to our engineers and developers, and establish industry-leading strategies for secure open source software development.

Key Responsibilities

Strategic leadership and program management

• Support the WSO2 Security Team in developing and executing an enterprise-wide information security strategy, roadmap, and multi-year program.
• Represent security at leadership discussions, risk/compliance,  and regulatory meetings as required.
• Drive alignment between cybersecurity initiatives and overarching business objectives, risk appetite, and regulatory obligations.
• Lead the development, maintenance, and enforcement of information security policies, standards, and procedures.
• Structure employee awareness sessions and training programs for Security Risk and Compliance. Evangelize security for customers as well as in public forums.
• Monitor both internal and external feedback from the customers and community users on security and compliance of WSO2 products, and assist with developing enhancements.
• Develop marketing strategies based on security for WSO2 products and solutions.

Risk management and governance

• Oversee WSO2's cyber risk management framework, ensuring risks are identified, assessed, and treated in line with the enterprise risk strategy.
• Maintain and mature the information security governance structure, including team charters, reporting cadences, and escalation paths.
• Provide authoritative guidance on risk acceptance, exception management, and third-party risk across the supply chain.
• Develop scalable security frameworks, controls, and processes to meet emerging threats, regulatory requirements, corporate security policies, and customer commitments.
• Identify trends in cybersecurity, product vulnerabilities, and operational effectiveness. Identify applicable risks and collaboratively implement effective mitigation strategies across the organization.
• Proactively perform risk analysis for management, evaluating the impact on security control effectiveness, compliance adherence, policy updates, changes in business requirements, and cybersecurity incidents.
• Build strategy to verify that the mandated security checks, controls, procedures, and best practice guidelines are effectively executed and validated for completeness/accuracy.

Security operations and incident response

• Provide support and guidance to  execute on capabilities for Security Operations Centre (SOC), product security,  threat detection, and incident response.
• Engage as an active member of investigations, contribute to leadership communications, and provide strategic support. Ensure  operational effectiveness and governance structures are met. Ensure timely containment, remediation and regulatory obligations are executed.
• Drive continuous improvement of detection, response, and recovery processes informed by post-incident reviews.
• Support the effective execution of programs like  vulnerability management, penetration testing, red team exercises, etc.
• Collaborate with security teams, product teams, customers, regulators, and senior leadership on incident management. You will be a key player in our efforts to detect, protect, and defend.

Security architecture and engineering

• Provide strategic security and compliance direction for  architecture across cloud, on-premise, and hybrid environments.
• Review significant security design decisions, partners, vendors to ensure compliance, data protections, and risk management goals are met
• Ensure security is embedded throughout the software development lifecycle (SDLC), Security Operations pipelines, and change processes.
• Research vulnerabilities, threats, and technologies to assess their impact on WSO2 cloud platforms, products, and services. Develop and execute a risk mitigation strategy that builds and maintains customer confidence.
• Explore new security technologies and determine the integration strategy into WSO2 processes. 
• Help build automation strategies to security and compliance processes for efficiency,  consistency, more effective compliance results, and reporting.
• Review security testing/scanning reports, customer/prospect inquiries, and legal regulatory standards/requirements and provide guidance and direction.

Compliance and audit

• Lead engagement with internal audit, external auditors, and regulators on cybersecurity matters.
• Oversee the preparation and execution of compliance assessments, certifications, and accreditations.
• Monitor the regulatory landscape and advise both security and business leadership on emerging obligations and their implications.
• Develop and execute strategies for maintaining continued compliance with upgrades, enhancements, and migrations.
• Ensure the security programme meets all applicable regulatory, legal, and contractual requirements (e.g., ISO 27001, NIST CSF, GDPR, PCI-DSS, SOC 2). Continuously monitor effectiveness of security controls, provide reporting and escalation when needed.

People and culture

• Lead, mentor, and develop a high-performing security risk and compliance team spanning multiple disciplines.
• Champion a security-aware culture across the organization through effective awareness, training, and engagement programs.
• Build and maintain strong relationships with stakeholders across technology, product, legal, HR, finance, and operations.
• Support workforce planning, hiring, and succession planning within the security function.
• Effectively break down complex tasks, delegate responsibilities, and ensure successful delivery through collaborative follow-up and coordination. This role requires strong project management skills, technical acumen, and leadership to manage expectations and ensure on-budget, on-schedule execution.
• Maintain effective professional relationships with extended teams (Security, Engineering, Pre-sales, Marketing, Sales, Legal, and Infrastructure) on security initiatives. Coordinate unplanned group efforts, manage conflicts professionally, and drive resolutions.
• Ability to give timely and helpful (positive and negative) feedback to interns, peers, and seniors (e.g., 360 feedback). Provide leadership in terms of educating and providing guidance in areas of expertise.
• Ability to provide technical leadership, mentoring, direction, and feedback to junior members across the organization. Drive team and/or individual motivation and performance.

Qualifications and relevant experience

• Minimum 10+ years of progressive experience in information security, with at least 5 years in a senior leadership role.
• 2+ years of project management experience, demonstrated by successfully driving projects to completion, measuring results, and leading cross-functional teams.
• Proven track record of managing large-scale cybersecurity programs in complex, regulated environments.
• Substantial experience leading and responding to significant cybersecurity incidents.
• Extensive knowledge of security frameworks including NIST CSF, ISO/IEC 27001, CIS Controls, and MITRE ATT&CK.
• Experienced implementing and operating regulatory/industry standard certifications for data privacy and security and compliance is required (GDPR, HIPAA, SOC 2 Type 2, ISO, PCI, DORA, CRA, etc.).
• Demonstrated ability to develop a global strategy into an action plan/roadmap that is deployed across the organization. Perform complex reviews, interpreting the results and understanding cost impacts.
• BsC/MsC in Computer Science, Engineering, Security, Information Systems, or  a related field. 
• Certifications in one or more of the following: CISA, CISSP, CISM, OSCP, and OSWE. Cloud certifications (Azure, AWS, and GCP) are also highly valued.
• Relevant cloud security certifications (e.g., CCSP, AWS Security Specialty, Azure Security Engineer) are advantageous.

Relevant skills and competencies

• Exceptional strategic thinking and ability to translate complex technical risk into business-aligned recommendations.
• Demonstrated ability to communicate effectively with C-suite executives, board members, and regulators.
• Strong analytical, problem-solving, and decision-making capabilities under pressure.
• Outstanding written and verbal communication skills with the ability to present to diverse audiences.
• High emotional intelligence and ability to influence, negotiate, and build consensus across organizational boundaries.
• Deep technical depth across core security domains: identity and access management, network security, endpoint protection, cloud security, data protection, and application security.
• Self-motivated with the ability to work with little supervision. Have a strong analytical focus, solid judgment under pressure, and business decision-making skills.
• Excellent communication and interpersonal skills. Ability to negotiate with customers, peers, and partners to achieve a win-win solution.